Virtual Local Area Networks And

Wireless Virtual Local Area Networks

Project Report

By Paul C. Rollins

For Dr. Kris (Krzysztof) Gaj

ECE 636 Instructor

Prepared For
George Mason University
Department of Electrical and Computer Engineering
Fairfax, Virginia
 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

TABLE OF CONTENTS

1 INTRODUCTION ........................................................................................................................................ 2
1.1 VLANS ................................................................................................................................................... 2
1.2 VPNS ...................................................................................................................................................... 2
1.3 COMPARISON........................................................................................................................................... 3
2 VLANS.......................................................................................................................................................... 3
2.1 VLAN HISTORY ...................................................................................................................................... 3
2.2 VLAN PROTOCOLS ................................................................................................................................. 5
2.2.1 IEEE 802.1D................................................................................................................................... 5
2.2.2 IEEE 802.1Q................................................................................................................................... 5
2.2.3 Inter-Switch Link (ISL) .................................................................................................................... 6
2.2.4 IEEE 802.10.................................................................................................................................... 6
2.2.5 LAN Emulation (LANE)................................................................................................................... 6
2.3 VLAN SECURITY .................................................................................................................................... 7
2.3.1 Security Provided by VLANs............................................................................................................ 7
2.3.2 VLAN Weaknesses ........................................................................................................................... 8
2.3.3 Security Required in VLAN.............................................................................................................. 8
3 WIRELESS LANS (WLAN) ........................................................................................................................ 8
3.1 INTRODUCTION TO WIRELESS LANS......................................................................................................... 8
3.2 WIRELESS LAN PROTOCOLS .................................................................................................................... 9
3.3 WIRELESS LAN SECURITY ..................................................................................................................... 10
4 WIRELESS VLANS................................................................................................................................... 12

5 CONCLUSION........................................................................................................................................... 12

6 REFERENCES ........................................................................................................................................... 14

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

1 INTRODUCTION

The Virtual Local Area Network (VLAN) has quickly grown from a buzzword bandied about in
test labs and expert kernel-hacker news groups and chat rooms into a term networking almost as
common as hub, switch or VPN. The hype is big, and only growing.

The purpose of this project is to explore the state of the art in VLAN technology and protocols.
In particular the security offered by the protocols and the security implications of using the
protocols. Also a brief comparison of VLAN to the Virtual Private Networks (VPN) will be
given because of the common misunderstandings and confusion between the technologies.

1.1 VLANs

What is a VLAN? With the large number of proprietary VLAN implementations and solutions
that differ from each other in fundamental ways, this is a difficult question to answer. At their
most basic, common level, most experts agree that a VLAN is roughly equivalent to a broadcast
domain that is independent of physical location [4]. There may be multiple VLANs on a single
physical switch or a single VLAN may span multiple switches.

Standard physically defined broadcast domains are comprised of the machines locally connected
to hubs and switches that can communicate without their traffic traversing a router. In other
words, all machines that share a common router gateway interface are a broadcast domain.
VLANs can be used to break these physical broadcast domains into many virtual broadcast
domains.

In short, VLANs segregate physically connected machines into groups/domains that act as
though they were NOT physically connected.

1.2 VPNs

The openness and free availability of information and resources is one of the core strengths of
the Internet. It is also one of its primary weaknesses. Without adequate security protections, the
Internet can be a very dangerous way to communicate private or sensitive information. This
danger is increased by the convenience of such communication. VPNs are one of many security
mechanisms that attempt to solve some of these issues.

A VPN is used to provide security services to disparately located machines or networks, such
that their Internet communications are as safe (or more safe) than if they were communicating on
a Local Area network. The security services generally offered are user authentication, message
integrity and message confidentiality. VPNs are most often described as tunnels. The tunnels
protect the data within the tunnel. Tunnel endpoints can be located at an individual user’s
workstation (for road warriors, or home workers) or they can be located at a LAN gateway (for
connection of an entire LAN to the remote user or users).

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

VPNs attempt to aggregate machines that are physically separated into groups/domains that act
as though they are co-located.

1.3 Comparison

The concluding paragraphs in the above sections describe the fundamental difference between
VLANs and VPNs.

To recap the difference:

VLANs attempt to segregate physically connected machines into groups/domains that act as
though they were NOT physically connected.

While:
VPNs attempt to aggregate machines that are physically separated into groups/domains that act
as though they are co-located.

2 VLANS

2.1 VLAN History

The following is a short history of the development of VLAN technology. It is significant

because the motivations to invent the technology directly dictated the features built into the
implementations.

Throughout the years, increases in the numbers of hosts commonly on Local Area Networks
(LANs) and in the use of networked applications have caused enormous increases in the overall
amount of traffic on typical LANs. This increase in traffic caused congestion and collision
problems in the shared media world of Ethernet, the dominant LAN technology over the past
fifteen years. This led network managers to use routers and hubs to segregate their networks into
many subnets with fewer hosts on each. This idea was soon taken to its natural extreme by the
use of Ethernet switches, effectively putting each host on its own hub, virtually eliminating
collision problems altogether. Switches even started replacing non-gateway routers to a large
degree within many networks. The popularity of Ethernet switches grew quickly, because they
are both cheaper and faster than routers. This is due to the differences between operating at OSI
layer 2 verses OSI layer 3. In layer 3, the internetworking layer, where routers work, the
addressing element for TCP/IP networks is the IP address. Routing of the layer 3 packets is done
by an operation called a longest prefix match. This operation looks at the IP address, and finds
the route in the routing table that most closely matches the address being routed. This is a slow
and complex operation, which makes routers slow and costly. Layer 2 switching, which is what
switches do, is done by a simple table look-up operation. Table look-up operations are very fast,
and simple to implement.

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

Now, in Switched environments, even larger numbers of hosts were gathered on switches. Even
where hubs were used, the hubs were often then connected to switches. This huge increase led to
an equally huge increase in the amount “background” broadcast traffic (ARP, RIP,
NETBEUI…). This kind of background traffic was previously only a minor annoyance. But
increase in broadcast traffic due to the broad flat switched networks led to network managers to
want to, again, segment the switched network even further, so even broadcast traffic was limited
to going to as few unnecessary hosts as possible. They wanted to do this while leaving them
connected to the same physical switches. This is where the idea for Virtual LANs emerged.
First generation VLANs were limited to a single switch. Second generation VLANs were able to
support VLANs that span multiple switches. VLANs are implemented by software that resides
on the switches themselves. All switches involved in the VLAN structure must support the
VLAN protocol being used.

One or more of the following parameters commonly defines VLAN memberships:

• Switch Ports
• MAC Addresses (Layer 2)
• Protocol (Layer 2 or 3)
• Network Addresses (Layer 3)

Most current VLAN protocols allow arbitrary combinations of these parameters to define VLAN
membership. Currently used VLAN protocols add the VLAN information to the layer 2 frame
by adding a “tag” containing the VLAN ID to each frame.

This history is important because it shows the specific motivations that led to the development of
VLAN protocols. After the first VLANs were being implemented, and standardization was
being seriously pursued other non-performance, related issues were raised, and other uses of
VLANs were brought up. Primarily of interest in this report is the use of VLANs to provide
security services.

VLAN 1
VLAN 5

H H H H

SW VLAN 2 SW
H H H

SW SW
VLAN 4

H H H H

VLAN 3

Figure 1: Typical VLAN Environment

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

2.2 VLAN Protocols

IEEE is the standards body doing the most active work in VLAN standardization. The IEEE
802.1 Internetworking Subcommittee is the specific group in charge of this technology area. In
March 1996 the subcommittee finished initial phase of investigation for developing VLAN
standards [1]. The IEEE work as well as other VLAN related standards are introduced briefly
below.

2.2.1 IEEE 802.1D

IEEE 802.1D is more formally known as the MAC Bridges Traffic Class Expediting and
Dynamic Multicast Filtering Protocol [1]. This is a fancy name, but it is merely the IEEE MAC
layer spanning tree algorithm. The spanning tree algorithm guarantees loop-free delivery of
MAC frames, even in the presence of alternate paths that present the potential of routing loops.
This is extremely important to VLAN switching. Fortunately, it was also important to Ethernet
bridge based networks years earlier also. The protocol was already completely defined and
widely implemented long before VLANs existed.

2.2.2 IEEE 802.1Q

The crown jewel that resulted from the march 1996 IEEE 802.1 Subcommittee meetings was the
802.1Q frame tagging standard. The 802.1Q standard defines how the following functions are to
be performed in VLANs [1]:
• Positions the functions of virtual bridged LANs (VLANs) within an architectural
description of the MAC layer.
• Specifies the operation of the functions that provide frame relay in the VLAN Bridge.
• Defines the structure, encoding, and interpretation of the VLAN control information
carried in MAC frames in a VLAN.
• Specifies the rules that govern the insertion and removal of VLAN control
information in MAC frames.
• Establishes the requirements for, and specifies the means of, automatic configuration
of VLAN topology information.
• Defines the management functionality that may be provided in a VLAN bridge in
order to facilitate administrative control over VLAN operation.
• Specifies requirements to be satisfied by equipment claiming to conform to this
standard.

There are two MAC tagged frame structures defined in the standard, one for Ethernet and the
other for Token Ring/FDDI. The Ethernet “tag” consists of a two octet Tag Protocol Identifier

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

(TPID) and a two octet Tag Control Identifier (TCI). The Token Ring/FDDI “tag” has an eight
octet TPID and the same two octet TCI. The TPID identifies the frame as a tagged frame. The
TCI delivers user priority information as well as the actual VLAN Identifier (VID).

2.2.3 Inter-Switch Link (ISL)

CISCO switches exchange VLAN membership information using the ISL protocol. ISL uses an
extremely cost-effective low-latency method of packet identification and transmission in Fast-
Ethernet environments. ISL uses an efficient 10-bit addressing technique [6] (compared to IEEE
802.1Q’s 32 bit addressing). Additionally ISL is supported by the CISCO Internetworking
Operating System (IOS) used in CISCO (and other) routers. This provides VLAN
interoperability between switches connected through routers.

2.2.4 IEEE 802.10

In addition to the ISL protocol, CISCO has also created a protocol based on IEE 802.10. The
IEEE 802.10 protocol was designed as a tagging format for adding security to LANs at layer 2.
The protocol is not widely used. CISCO introduced the idea to use the 802.10 tagging format to
transmit VLAN tagging information. The introduction of 802.1Q and ISL now replace much of
the functionality the 802.10 protocol was to be used for. The one major function CISCO still
uses this for is to communicate VLAN information across FDDI links. Neither 802.1Q nor ISL
are defined for FDDI frame types.

2.2.5 LAN Emulation (LANE)

ATM LAN Emulation (LANE) designed to allow existing Ethernet based devices/protocols to
run over ATM backbone networks as if they were on the same LAN [4]. This is accomplished
by introducing two new types of devices into the network: LANE Servers (LESs) and LANE
Clients (LECs). A LEC is software that resides either on the Ethernet switch or a stand-alone
device. A LES is software that resides either on the ATM switch or a stand-alone device. The
LESs and LECs serve as MAC to ATM address translators. After the address translation is done,
the LECs handle the conversion of Ethernet frames to and from ATM cells.

Within this kind of mixed technology environment VLANs can still exist. The primary
limitation is that with basic LANE implementations, all ATM connected machines that interface
to the Ethernet world through a given interface must belong to the same VLAN. This is due to
LANE implementation issues. This limitation can be avoided in more robust LANE
implementations that allow multiple LECs to be instantiated within the same physical switch or
device. This improvement comes at the cost of additional configuration and management. Note
that there is no limitation on VLAN usage by Ethernet connected hosts. If ATM is used only as
the backbone of the network, and there are no ATM connected hosts, LANE introduces no
limitations.

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

2.3 VLAN Security

This section will discuss two issues. First, is the security features of VLANs. The second issue
is how to secure VLAN architectures.

2.3.1 Security Provided by VLANs

Although security was not among the primary motivations or goals in the development of VLAN
technology, there are several positive security relevant implications of using VLANs.

One security implication is that VLAN software in Ethernet switches turns VLAN enabled
switches into a kind of firewall [4]. The introduction of VLAN technology into switches means
the switch must implement a routing function to do inter-VLAN communications. Theoretically,
the switch could forward packets to an external router for routing, but in reality, all major
implementations build a routing function into the switch. This software typically has packet
filtering capabilities. This security advantage is not a direct result of the VLAN technology, but
is definitely related.

Another implication is due to the reduction in the size of typical broadcast domains. VLAN
networks typically have much smaller broadcast domains than non-VLAN networks. This
makes eavesdropping attacks harder and less efficient to implement [4]. This is especially true
because VLANs are implemented through switches, which already provide a high level of
eavesdropping protection. The switch limits eavesdropping by limiting the visibility of standard
unicast traffic. VLANs improve this by also limiting the visibility of broadcast packets.

The third positive security implication is that the logical segregation provided by VLANs
provides a level of protection against “casual” attack [7]. One of the greatest threats in many
environments is from insider threats. Not only active malicious insiders are threats, but even the
“casual” or “bored” or “curious” insider. They are not intentionally attempting to do harm to the
organization, the are just testing their limits. They are just “poking around”. They can find
sensitive or private information. They can unknowingly disclose information they do not
understand the sensitivity of. Their access can trip auditors to impose penalties for allowing
improper access. If for some reason the “bored,” “casual” user becomes disgruntled, the
information gained could suddenly be used in more malicious ways.

The final implication has to do with VLAN membership tables. VLAN membership tables have
become a sort of Access Control List (ACL). Traffic can be dropped at the switch based on the
same parameters that can define VLAN membership. Most commonly these parameters include
MAC address, IP address and protocol usage. Most vendors have built a “safe mode” into their
products. In this mode, if you are not a member of a VLAN recognized by the switch, your
traffic is dropped. The typical VLAN architecture is configured with a “default.” If the switch
can not identify a host with any defined VLAN, its traffic is tagged for the default VLAN. This
feature must be turned off to enter safe mode.

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

2.3.2 VLAN Weaknesses

One primary security weakness of the security of VLANs is the complete lack of cryptographic
security. It is not really as much of a weakness, as it was simply not a design objective.

Another weakness is the possibility of software bugs. Again this is not a weakness of the
architecture or protocols. It is an inevitable implementation weakness. Several existing products
were shown to allow “VLAN Hopping” where packets tagged for one VLAN ended up in a
different VLAN [10]. There is no way to avoid the possibility of these software errors. But this
is true for any technology, and has nothing to do with VLAN technology itself.

Another weakness is the additional administration involved. Additional administration is

additional complexity, which can lead to configuration errors.

2.3.3 Security Required in VLAN

Fortunately for security professionals, there is nothing really new they need to secure VLANs
above what they do to secure other network architectures. The same security services will be o
• Authentication
• Access Control
• Confidentiality
• Integrity
• Nonrepudiation
• etc

These services can be provided in the same way as they are in any other network environment.
User-Authentication and Access control can be provided by techniques such as: passwords,
challenge-response, callback, one-time passwords, Kerberos, RADIUS, tokens…

Access Control can be enforced by means of such techniques as ACLs, Operating System
controls, Auditing, good Authentication, traffic filtering, intrusion detection,…

Confidentiality and Integrity, probably the most talked about and recognized security services
can be enforced by such techniques as: IPSEC, VPN, Encrypted File Systems, File System
Integrity checkers, secure applications…

3 WIRELESS LANS (WLAN)

3.1 Introduction to Wireless LANs

As with VLANs, wireless technologies are also growing in popularity. PDAs, Wireless phones,
laptop computers and other mobile computing devices are becoming more common, and
depended on in more important ways. Also, high-speed radio frequency (RF) broadcast and
reception technologies have made remarkable advances that makes their use in small mobile
battery operated devices is now feasible. Wireless networking makes traveling demonstrations

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

for salespeople at customer sites or conferences or expositions much easier. Their use even in
fixed location devices and applications also has significant advantages due to the lack of time,
effort and expense of wiring (and rewiring, and rewiring…) an office suite or building.

The general architecture used in most always in wireless LAN environments is to have multiple
WLAN enabled devices communicate through one or more Access Points (AP). The AP can be
a hardware appliance or software running on any WLAN enabled machine. Typically the AP is
wired to the network infrastructure to provide access to the local wired LANs or Internet. The
AP is analogous to a cellular base station or more loosely even to a wired Ethernet hub. The
figure [12] below is a typical wireless environment with two APs connected to a wired
distribution system (typically an Ethernet LAN) which provides full network access to the
wireless hosts.

Figure 2: Typical WLAN Environment

3.2 Wireless LAN Protocols

One wireless LAN protocol dominates the industry; IEEE 802.11. 802.11 was first Adopted in
1997 [13] and has been since updated as 802.11b. The 802.11 standard covers the physical and
data link layers of the OSI model.

The standardized physical layer is based on radio RF broadcasting in the range of 2.4 GHz. The
exact frequencies used depend on the frequencies allocated by the political organizations in

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

various regions of the world. There are four standard data rates supported; 1Mbps, 2Mbps,
5.5Mbps and 11Mbps. Spread spectrum techniques are used. Frequency Hop Spread Spectrum
(FHSS) is supported at 1Mbps and 2Mbps. Direct Sequence Spread Spectrum (DSSS) is
supported at all four standardized frequencies. Typical indoor ranges between components are
listed at 150-300 feet and 1000 feet outdoors [14]. These ranges depend greatly on the
environment.

The data link layer is based largely on the 802.3 Ethernet frame format. 802.11 network
interface cards (NICs) have a globally unique 48 bit MAC address, exactly as 802.3 Ethernet
NICs. 802.11 WLANs use a Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA) almost identical the Ethernet Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) technique.

3.3 Wireless LAN Security

On top of this Ethernet-like data link layer, however, the 802.11 committee created a security
protocol called Wired Equivalent Privacy (WEP) as a security protocol. WEP was designed to
improve the security of 802.11 networks to be roughly equivalent of their wired 802.3
counterparts. The primary goal of WEP was to prevent eavesdropping of the RF broadcasted
data with secondary goals of providing data integrity verification and a level of access control.
This basic level of security was seen as critical to make WLANs acceptable for use where even
moderate levels of security are needed. Higher security requirements were to be met by other
mechanisms such as IPSEC.

The following figure shows how to construct a WEP frame from an 802.11 frame. The original
802.11 frame is labeled in the figure as "Message." To this frame is added a 32 bit Cyclic
Redundancy Check (CRC) integrity checksum. This CRC is appended to the Message to form
the Plaintext to be encrypted. RC4 stream encryption is used. The RC4 algorithm is keyed using
the shared secret key, appended with an Initialization Vector (IV) shown as "v" in the figure.
The initialization vector and key identifier, along with the Ciphertext are transmitted as the
protected WEP frame.
Plaintext
Message CRC

Keystream = RC4(v,k)

IV,KeyID Ciphertext
Transmitted Data
Figure 3: WEP Frame Construction

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

WEP encryption is accomplished using RC4 stream encryption. The WEP standard calls for a 40
bit key. Vendors have already implemented 64 and 128 bit variations of WEP. Longer key
lengths are being designed into the next 802.11 version. The standard calls for four system wide
global keys and optionally a separate key for each host. Most implementations do not support
the option to have a key for each host. In practice, most all installations only use one key for an
entire network. These keys are also configured into devices through difficult manual processes
which means they are not changed often.

Unfortunately, there have been weaknesses found in the WEP protocol. Nikita Borisov, Ian
Goldberg and David Wagner are the researchers to originally discover and publish descriptions
of the following weaknesses and sample attacks based on the weaknesses [12].

The group published three general weaknesses. They also published many attacks based on
these fundamental weaknesses. The three weaknesses are:
1. The standard does not disallow IV(key) reuse
2. The CRC integrity checksum is a linear function of the message
3. The CRC integrity checksum is a an unkeyed function of the message

Weakness one leads to several means to derive short segments of the keystream, and repeatedly
use this known keystream segment to decrypt future packets that reuse the same IV. With a
known plaintext/ciphertext pair, the keystream can be directly computed. As it turns out, it is
quite easy to trick the network into encrypting or decrypting certain packets, broadcast packets
for instance, giving away portions of the key sequences one packet at a time. A patient attacker
can build up a dictionary of known IV/keystream pairs. The difficulty in changing keys means
that most operational systems use the same keys for months at a time. A rather complete
dictionary can be built up in a manner of days.

Weaknesses 2 leads to a fundamental problem. Arbitrary changes can be made to the message
and checksum, without detection. Because the checksum is a linear function of the message, two
methods can be used to make the checksum match a modified message: 1) a counter-acting
change to another part of the message can make the new message have the same checksum as the
original message or 2) a corresponding change to the checksum itself can be deterministically
computed based on the change made to the message. Another additional complication is caused
because the encryption itself is also linear. The message-altering attacks described above can be
done to the ciphertext, with no knowledge of the plaintext. Certain parts of the message may be
known, such as the IP addresses, and their placement is known within the packets. So IP
addresses (or other similarly predictable fields) can be modified, again, without any knowledge
of the key or plaintext necessary.

Weakness 3 leads to several more problems. Because the checksum is unkeyed, a attacker can
create checksums for messages where the plaintext is known. As soon as the attacker knows one

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

IV/keystream pair (based on weakness 1), packets can be inserted to the network at will. Access
Points are required to accept packets even if they reuse the same IV over and over again, or risk
noncompliance with the standard.

4 WIRELESS VLANS

Some fundamental parts of standard wired VLAN networking can not be duplicated in the
wireless world. The original goal or purpose to build VLANs was as a means to limit broadcast
domains. In the wireless world, there is no way to limit broadcast domains. This means that
even the parts of VLAN networking that do work, do so without the performance advantages
VLANs were designed to provide. In addition to not gaining the performance advantage of
VLAN use, the lack of the ability to limit which hosts have physical access to packets means
wireless VLANs lose the security advantages of VLANs also. The security can be improved by
using the key management features of WEP of using separate keys for each host, or at least using
all four system wide keys. Also, all wireless hosts interface to the wired network through a small
set of APs. This means that the dominant VLAN membership definition style, assignment of
VLAN membership by switch port, does not work, because multiple hosts connect through the
same switch port, via the AP. Physically mobile devices which roam among many APs (with
many different switch ports) further complicate the issue of VLAN assignment by switch port.

Other fundamental parts of VLAN networking remain unchanged in the IEEE 802.11 wireless
environment. Wireless networks can still use MAC address based membership schemes, because
IEEE 802.11 uses the exact same MAC addressing an Ethernet. Other lesser known membership
schemes, such as protocol based VLAN memberships, can also be used the same in wireless
networks as in wired networks.

5 CONCLUSION

VLANs and WLANs are promising and useful technologies.

VLANs successfully achieve their design goal of limiting broadcast traffic, and allowing larger
flat switched networks, eliminating the complexity, cost and performance problems of routers.
They even provide a moderate improvement in the security of a network. They do not provide
“strong” security, however. In an environment with the need of strong security, VLAN security
must be supplemented the same way standard LAN network security is supplemented. Only
through the use proven techniques such as strong cryptography can strong confidentiality,
integrity and authenticity be provided

WLANs provide convenience, quick and cheap installation and full network access for mobile
devices. WEP "raises the bar" in terms of security and the difficulty of mounting eavesdropping,
data modification and data insertion attacks. It does not provide the level of security intended by
the designers due to flaws in the designed protocol. But, even if the security goals of the
designers were met, this would only give wireless environments equivalent security as their basic

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

wired counterparts. As with VLANs, in an environment with the need of strong security, VLAN
security must be supplemented the same way standard LAN network security is supplemented.
Only through the use proven techniques such as strong cryptography can strong confidentiality,
integrity and authenticity be provided.

While these two technologies are promising independently, the do not work well together. They
can be made to co-exist, but the fundamental differences in the problems they were designed to
solve and the environments in which they were designed to operate, they do not mesh together in
any synergistic way.

636 Project Report May 3, 2001

 VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report

6 REFERENCES
[1] Smith, Marina. Virtual LANs. McGraw Hill, New York, NY, 1998.

[2] Scott, Charlie, Wolfe, Paul, and Erwin, Mike. Virtual Private Networks, Second Edition. O’Reilly and
Associates, Inc., Sebastopol, CA, 1999.

[3] Perlmutter, Bruce, with Zarkower, Lonathan. Virtual Private Networking, a View From the Trenches. Prentice
Hall PTR, Upper Saddle River, NJ, 2000.

[4] Passmore, David and Freeman, John. The Virtual LAN Technology Report.
http://www.3com.com/nsc/200374.html, May 1996.

[5] Cisco Systems, INC. VLAN Standardization via IEEE 802.10. http://www.cisco.com/warp/public/537/6.html,
July 1995.

[6] Cisco Systems, INC. Cisco VLAN Roadmap. http://www.cisco.com/warp/public/538/7.html, April 1999.

[7] University of California at Davis. VLAN Information. http://net21.ucdavis.edu/newvlan.htm, October 1998.

[8] Ryan, Jerry. A Practical Gide to the Right VPN Solution. http://www.techguide.com, 2000.

[9] Varadarajan, Suba. Virtual Local Area Networks. http://www.cis.ohio-state.edu/~jain/cis788-

97/virtual_lans/index.htm, August 1997.

[10] Taylor, David. Are there Vulnerabilites in VLAN Implementations?. SANS Institute,
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm, July 2000.

[11] Goldberg, Ian, Wagner, David, Borisov, Nikita. Intercepting Mobile Communicatons: The Insecurity of 802.11
DRAFT, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf, 2001.

[12] Zyren, Jim, Petrick, Al, IEEE 802.11 Tutorial, http://www.wi-fi.net/downloads/IEEE_80211_Primer.pdf,

2001.

[13] Champness, Angela, IEEE 802.11 DSSS: The Path To High Speed Wireless Data Networking, http://www.wi-
fi.net/downloads/weca80211boverview.pdf, 2001.

[14] Vicom Technology, Ltd., Wireless Networking Q&A,

http://www.vicomsoft.com/knowledge/reference/wireless1.html,, 2001.

636 Project Report May 3, 2001